Solved open run_once issues

roles/cmp-db-docker/tasks/main.yml

@@ -1,3 +1,5 @@
+# run_once_cmp_db_docker
+
 - name: "For '{{ application_id }}': Set database_application_id (Needed due to lazzy loading issue)"
   set_fact:
     database_application_id: "{{ application_id }}"

roles/cmp-docker-proxy/tasks/main.yml

@@ -1,3 +1,5 @@
+# run_once_cmp_docker_proxy: deactivated
+
 - name: "For '{{ application_id }}': include docker-compose role"
   include_role:
     name: docker-compose

roles/docker-compose/tasks/main.yml

@@ -1,3 +1,5 @@
+# run_once_docker_compose: deactivate
+
 - name: "Load variables from {{ docker_compose_variable_file }} for whole play"
   include_vars: "{{ docker_compose_variable_file }}"
 

roles/pkgmgr-install/tasks/main.yml

@@ -2,7 +2,7 @@
   shell: |
     source ~/.venvs/pkgmgr/bin/activate
     pkgmgr update pkgmgr
-  when: run_once_pkgmgr_update is not defined
+  when: run_once_pkgmgr_install is not defined
 
 - name: update {{ package_name }}
   shell: |
@@ -15,5 +15,5 @@
 
 - name: mark pkgmgr update as done
   set_fact:
-    run_once_pkgmgr_update: true
+    run_once_pkgmgr_install: true
-  when: run_once_pkgmgr_update is not defined
+  when: run_once_pkgmgr_install is not defined

roles/srv-proxy-6-6-domain/tasks/main.yml

@@ -1,3 +1,5 @@
+# run_once_srv_proxy_6_6_domain: deactivated
+
 - name: "include role for {{domain}} to receive certificates and do the modification routines"
   include_role:
     name: srv-web-7-6-composer

roles/srv-proxy-6-6-tls-deploy/tasks/main.yml

@@ -5,11 +5,6 @@
   when: run_once_nginx_docker_cert_deploy is not defined
   notify: restart srv-proxy-6-6-tls-deploy.cymais.service
 
-- name: run the nginx_docker_cert_deploy tasks once
-  set_fact:
-    run_once_backup_directory_validator: true
-  when: run_once_nginx_docker_cert_deploy is not defined
-
 - name: "create {{cert_mount_directory}}"
   file:
     path:     "{{cert_mount_directory}}"
@@ -30,3 +25,8 @@
     on_calendar:  "{{on_calendar_deploy_certificates}}"
     service_name: "srv-proxy-6-6-tls-deploy.{{application_id}}"
     persistent:   "true"
+
+- name: run the run_once_srv_proxy_6_6_tls_deploy tasks once
+  set_fact:
+    run_once_backup_directory_validator: true
+  when: run_once_nginx_docker_cert_deploy is not defined

roles/srv-web-6-6-tls-core/tasks/main.yml

@@ -1,3 +1,5 @@
+# run_once_srv_web_6_6_tls_core: deactivated
+
 - name: "Include flavor '{{ certbot_flavor }}' for '{{ domain }}'"
   include_tasks: "{{ role_path }}/tasks/flavors/{{ certbot_flavor }}.yml"
 

roles/srv-web-7-6-composer/tasks/main.yml

@@ -1,4 +1,4 @@
-# run_once_srv_web_7_7_inj_compose: deactivated
+# run_once_srv_web_7_6_composer: deactivated
 
 - name: "include role srv-web-7-7-inj-compose for {{domain}}"
   include_role: 

roles/srv-web-7-7-inj-css/tasks/main.yml

@@ -1,14 +1,12 @@
-# Load this role via srv-web-7-7-inj-compose for consistency
-
 - name: Generate color palette with colorscheme-generator
   set_fact:
     color_palette: "{{ lookup('colorscheme', global_css_base_color, count=global_css_count, shades=global_css_shades) }}"
-  when: run_once_nginx_global_css is not defined
+  when: run_once_srv_web_7_7_inj_css is not defined
 
 - name: Generate inverted color palette with colorscheme-generator
   set_fact:
     inverted_color_palette: "{{ lookup('colorscheme', global_css_base_color, count=global_css_count, shades=global_css_shades, invert_lightness=True) }}"
-  when: run_once_nginx_global_css is not defined
+  when: run_once_srv_web_7_7_inj_css is not defined
 
 - name: Deploy global.css
   template:
@@ -17,20 +15,20 @@
     owner: "{{ nginx.user }}"
     group: "{{ nginx.user }}"
     mode: '0644'
-  when: run_once_nginx_global_css is not defined
+  when: run_once_srv_web_7_7_inj_css is not defined
 
 - name: Get stat for global.css
   stat:
     path: "{{ global_css_destination }}"
   register: global_css_stat
-  when: run_once_nginx_global_css is not defined
+  when: run_once_srv_web_7_7_inj_css is not defined
 
 - name: Set global_css_version
   set_fact:
     global_css_version: "{{ global_css_stat.stat.mtime }}"
-  when: run_once_nginx_global_css is not defined
+  when: run_once_srv_web_7_7_inj_css is not defined
 
 - name: Mark css as done
   set_fact:
-    run_once_nginx_global_css: true
+    run_once_srv_web_7_7_inj_css: true
-  when: run_once_nginx_global_css is not defined
+  when: run_once_srv_web_7_7_inj_css is not defined

roles/srv-web-7-7-inj-iframe/tasks/main.yml

@@ -1,3 +1,4 @@
+# run_once_srv_web_7_7_inj_iframe: deactivated
 - name: "Load iFrame handler JS template for '{{ application_id }}'"
   set_fact:
     iframe_code: "{{ lookup('template','iframe-handler.js.j2') }}"

roles/srv-web-7-7-inj-javascript/tasks/main.yml

@@ -1,3 +1,4 @@
+# run_once_srv_web_7_7_inj_javascript: deactivated
 - name: "Load JavaScript code for '{{ application_id }}'"
   set_fact:
     javascript_code: "{{ lookup('template', modifier_javascript_template_file) }}"

roles/srv-web-7-7-inj-matomo/tasks/main.yml

@@ -1,4 +1,4 @@
-# Load this role via srv-web-7-7-inj-compose for consistency
+# run_once_srv_web_7_7_inj_matomo: deactivated
 
 - name: "Relevant variables for role: {{ role_path | basename }}"
   debug:

roles/svc-db-postgres/tasks/main.yml

@@ -4,7 +4,7 @@
     state: present
     ipam_config:
       - subnet: "{{ postgres_subnet }}"
-  when: run_once_docker_postgres is not defined
+  when: run_once_svc_db_postgres is not defined
 
 - name: Install PostgreSQL
   docker_container:
@@ -28,7 +28,7 @@
       retries: 5
       start_period: 30s
   register: setup_postgres_container_result
-  when: run_once_docker_postgres is not defined
+  when: run_once_svc_db_postgres is not defined
 
 - name: Wait for Postgres inside the container
   shell: "docker exec {{ postgres_name }} pg_isready -U postgres"
@@ -39,13 +39,13 @@
   when:
     - setup_postgres_container_result is defined
     - setup_postgres_container_result.changed
-    - run_once_docker_postgres is not defined
+    - run_once_svc_db_postgres is not defined
 
 - name: install python-psycopg2
   pacman: 
     name: python-psycopg2
     state: present
-  when: run_once_docker_postgres is not defined
+  when: run_once_svc_db_postgres is not defined
 
 - name: "Initialize database for '{{ database_name }}'"
   include_tasks: init.yml
@@ -53,5 +53,5 @@
 
 - name: Run the docker_postgres tasks once
   set_fact:
-    run_once_docker_postgres: true
+    run_once_svc_db_postgres: true
-  when: run_once_docker_postgres is not defined
+  when: run_once_svc_db_postgres is not defined

roles/update-apt/tasks/main.yml

@@ -3,3 +3,9 @@
     update_cache: yes
     upgrade: dist
     force_apt_get: yes
+  when: run_once_update_apt
+
+- name: run the {{ role_name }} logic just once
+  set_fact:
+    run_once_update_apt: true
+  when: run_once_update_apt is not defined

roles/update-pip/tasks/main.yml

@@ -1,3 +1,4 @@
+# run_once_update_pip: deactivated
 # Deactivated due to that it breaks the system
 # There is no alternative to do the python update
 # 

roles/user/tasks/main.yml

@@ -1,3 +1,4 @@
+# run_once_user: deactivated
 - name: create .bashrc
   template:
     src: "bashrc.j2"

tests/integration/test_run_once_tags.py

@@ -15,30 +15,59 @@ def is_under_root_tasks(fpath):
     return abs_path.startswith(os.path.abspath(ROOT_TASKS_DIR) + os.sep)
 
 
+import os
+import re
+
 def find_role_includes(roles_dir):
     """
-    Yields (filepath, line_number, role_name) for each import_role/include_role usage in roles/,
+    Scan all YAML files under `roles_dir`, skipping any under a top-level `tasks/` directory,
-    but ignores anything under the root-level tasks/ dir.
+    and yield (filepath, line_number, role_name) for each literal import_role/include_role
+    usage. Dynamic includes using Jinja variables (e.g. {{ ... }}) are ignored.
     """
     for dirpath, _, filenames in os.walk(roles_dir):
         for fname in filenames:
             if not fname.endswith(('.yml', '.yaml')):
                 continue
+
             fpath = os.path.join(dirpath, fname)
-            if is_under_root_tasks(fpath):
+            # Skip any files under the root-level tasks/ directory
-                continue  # Skip root-level tasks dir completely
+            if os.path.abspath(fpath).startswith(
+                os.path.abspath(os.path.join(roles_dir, '..', 'tasks')) + os.sep
+            ):
+                continue
+
             try:
                 with open(fpath, 'r', encoding='utf-8') as f:
                     lines = f.readlines()
-            except Exception:
+            except (IOError, OSError):
-                continue  # Ignore unreadable files
+                continue
+
             for idx, line in enumerate(lines):
-                if 'import_role' in line or 'include_role' in line:
+                if 'import_role' not in line and 'include_role' not in line:
-                    block = line + ''.join(lines[idx+1:idx+5])
+                    continue
-                    match = re.search(r'name:\s*[\'"]?([\w\-]+)[\'"]?', block)
+
-                    if match:
+                base_indent = len(line) - len(line.lstrip())
-                        role_name = match.group(1)
+                # Look ahead up to 5 lines for the associated `name:` entry
-                        yield fpath, idx + 1, role_name
+                for nxt in lines[idx+1 : idx+6]:
+                    indent = len(nxt) - len(nxt.lstrip())
+                    # Only consider more-indented lines (the block under import/include)
+                    if indent <= base_indent:
+                        continue
+                    m = re.match(r'\s*name:\s*[\'"]?([A-Za-z0-9_\-]+)[\'"]?', nxt)
+                    if not m:
+                        continue
+
+                    role_name = m.group(1)
+                    # Ignore the generic "user" role include
+                    if role_name == 'user':
+                        break
+
+                    # Skip any dynamic includes using Jinja syntax
+                    if '{{' in nxt or '}}' in nxt:
+                        break
+
+                    yield fpath, idx + 1, role_name
+                    break
 
 
 def check_run_once_tag(content, role_name):